Unbounded Fully Symbolic Model Checking of Timed Automata
Unbounded, Fully Symbolic Model Checking of Timed Automata using Boolean Methods Sanjit A. Seshia and Randal E. Bryant Computer Science Department Carnegie Mellon University
Timed Automata Alur, Courcoubetis, & Dill, ‘ 90 § A modeling formalism for timed systems • e. g. , Real-time systems, Timed asynchronous circuits § Generalization of finite automaton with: • Non-negative real-valued clock variables l Can only be reset to 0 or another clock • Constraints on clocks as guards on states and transitions x 1 ¸ 3 / x 1 : = 0 s=true x 1 · 5 x 1 ¸ 4 Æ x 2 ¸ 6 / x 2 : = 0 s=false x 1 · 10 x 2 · 8 2
Model Checking the Timedm Calculus System Properties expressed in the Timedm calculus [Henzinger et al. ’ 94] § Can express Timed CTL • Dense time version of CTL § Two kinds of TCTL formulas: • Reachability properties: Safety and boundedliveness l E. g. AG (file requested AF· 5 (file received)) • Non-reachabilityproperties: Unboundedliveness l E. g. AG. z: = 0. EF (z = 1) [non- zenoness] 3
Symbolic vs. Fully Symbolic Unbounded Model Checking § State space has Boolean and real-valued components SYMBOLIC Separate representation for real and Boolean components Example: Two symbolic states (b, x ¸ 3), (: b, x ¸ 3) Model Checkers: Uppaal, Kronos FULLY SYMBOLIC Combined representation for real and Boolean components Example: Combined state set x¸ 3 Model Checkers: RED, DDD (Difference Decision Diagram), Our approach 4
Unbounded, Fully Symbolic Model [Henzinger, Nicollin, Sifakis, Yovine ’ 94] Checking § Set of states represented as a formulaf in separation logic(SL) • Boolean Combinations(Æ, Ç, : ) of l l Boolean variables: ei Separation Predicates: xi ¸ xj + c, xi > xj + c » Also called “difference-bound” constraints Ø 0 represented as special variable x 0 • Adding quantifiers over clock and Boolean variables gives quantified separation logic (QSL) § Fundamental model checking operations • Image computation: Quantifier elimination for QSL • Termination check: Validity checking for SL 5
Our Approach § Use Boolean encoding of separation predicates § Quantifier Elimination in QSL: • Eliminating quantifiers over real variables in QSL Eliminating quantifiers over Boolean variables in quantified Boolean formulas (QBF) § Validity checking of SL: • By translation to SAT[Strichman, Seshia, Bryant, CAV’ 02] 6
Talk Outline § Pre-image Computation via QSLQuantifier Elimination § QSL Quantifier Elimination QBF Quantifier Elimination § Exploiting Special QSL Formula Structure § Optimizations § Preliminary Experimental Results § Conclusions & Future work 7
Pre Operator Discrete Pre, pred x 2 x 2 x 1 : = 0 2 b : = true b = false x 1 b = true Timed Pre, pret x 2 x 1 b = true x 1 x 2 time elapse b = true x 1 8
Pre Operator pre(f) , pred(f) Ç pret(f) • pred(f) does not require quantifier elimination • pret(f) is expressed in Quantified Separation Logic (QSL) 9
Timed Pre Operator in QSL f pret(f) , 9 d. d · x 0 Æ f [d / x 0] 10
Timed Pre Operator in QSL f finv pret(f) , 9 d. d · x 0 Æ f [d / x 0] Æ 8 e ( d · e · x 0 ) finv[e / x 0] ) • finv is the conjunction of all state guards 11
Quantifier Elimination Problem § Start with QSL formulaw, where w , 9 xa. f • To handle 8 xa. f, start with 9 xa. : f, and negate the result § Need to find SL formulaf’ such thatw , f’ § Previous approaches: • • • Enumerate DNF terms in f Perform Fourier-Motzkin elimination on each Differ in data structure used to representf Problem: Can be exponentially many DNF terms E. g. , Difference Decision Diagrams D ( DDs) [Møller et al. ’ 99], RED [Wang ’ 03] 12
Example: Difference Decision Diagrams (DDDs) [Møller et al. ’ 99] 9 x 3. (x 1 ¸ x 3 Ç x 3 ¸ x 1+2) Æ x 0 ¸ x 3 -5 Æ x 3 ¸ x 2 x 1 ¸ x 3 x 1 ¸ x 2 x 3 ¸ x 1 + 2 x 0 ¸ x 2 - 5 x 3 ¸ x 2 x 0 ¸ x 3 - 5 0 x 0 ¸ x 2 - 5 x 0 ¸ x 1 - 3 x 1 ¸ x 3 0 1 x 3 ¸ x 2 x 1 ¸ x 2 (x 1 ¸ x 2 Æ x 0 ¸ x 2 -5) Ç (x 0 ¸ x 1 -3 Æ x 0 ¸ x 2 -5) 1 13
QSL Quantifier Elimination via QBF Quantifier Elimination § Start with w , 9 xa. f § Quantifier elimination done in 3 steps: 1. Translate w to another QSL formulaw’ where: § § w’ has quantifiers only over Boolean variables w is equivalent tow’ 2. Encode w’ as a QBF 3. Eliminate Boolean quantifiers and translate the result back to a SL formulaf’ 14
Step 1: Real to Boolean Quantification 9 x 3. (x 1 ¸ x 3 Ç x 3 ¸ x 1+2) Æ x 0 ¸ x 3 -5 Æ x 3 ¸ x 2 (e 1 Ç e 2) Æ e 3 Æ e 4 9 e 1, e 2, e 3, e 4. Æ (e 1 Æ e 4) ) (x 1 ¸ x 2) Æ (e 2 Æ e 3) ) (x 0 ¸ x 1 - 3) e 1 x 1 ¸ x 3 e 2 x 3 ¸ x 1 + 2 e 3 x 0 ¸ x 3 - 5 e 4 x 3 ¸ x 2 Æ (e 3 Æ e 4) ) (x 0 ¸ x 2 - 5) Transitivity Constraints 15
Step 2: Encode Remaining Separation Predicates (e 1 Ç e 2) Æ e 3 Æ e 4 9 e 1, e 2, e 3, e 4. e 1 x 1 ¸ x 3 e 2 x 3 ¸ x 1 + 2 Æ (e 2 Æ e 3) ) (x 0 ¸ e 6 x 1 - 3) e 3 x 0 ¸ x 3 - 5 Æ (e 3 Æ e 4) ) (x 0 ¸ e 7 x 2 - 5) e 4 x 3 ¸ x 2 e 5 e 6 e 7 x 1 ¸ x 2 x 0 ¸ x 1 - 3 x 0 ¸ x 2 - 5 Æ (e 1 Æ e 4) ) (x 1 e ¸ 5 x 2) Transitivity Constraints 16
Step 3: Eliminate Quantifiers and Map back to SL (e 1 Ç e 2) Æ e 3 Æ e 4 9 e 1, e 2, e 3, e 4. Æ (e 1 Æ e 4) ) e 5 e 1 x 1 ¸ x 3 Æ (e 2 Æ e 3) ) e 6 e 2 x 3 ¸ x 1 + 2 Æ (e 3 Æ e 4) ) e 7 e 3 x 0 ¸ x 3 - 5 e 4 x 3 ¸ x 2 e 5 e 6 e 7 x 1 ¸ x 2 x 0 ¸ x 1 - 3 x 0 ¸ x 2 - 5 (e 5 Æ e 7) Ç (e 6 Æ e 7) (x 1 ¸ x 2 Æ x 0 ¸ x 2 -5) Ç (x 0 ¸ x 1 -3 Æ x 0 ¸ x 2 -5) 17
Evaluating Our Approach § Our approach avoids enumerating DNF terms of f § Can use either BDD or SAT methods for quantifier elimination (or a combination) • BDD-based method: Can exploit quantifier scheduling heuristics • SAT-based method: Rely on SAT solver to enumerate DNF terms in f’ § Number of transitivity constraints is at most O(m 2) where m is number of separation predicates inf 18
Exploiting Structure ofpret § Consider QSL formulas of the form: 9 e. e · x 0 Æ f [e / x 0] • Recall that x 0 stands for 0 § Can exploit special structure to generate fewer quantified Boolean variables § Can similarly handle 9 e. e ¸ x 0 Æ f [e / x 0] § Half of all quantifier elimination operations 19
A Region in R 2 f 20
Shifting the Region bye x 2 x 1= e + c x 1= x 0 + c e f [e / x 0] for e · 0 x 1 21
Geometric Interpretation of Quantified Formula 9 e. e · x 0 Æ f [e / x 0] is shaded region plusf x 2 · c’ x 2 - x 1 ¸ c’’ x 1 ¸ c 45° x 1 Observation: Only lower bounds onf are eliminated; Upper bounds and diagonals remain intact 22
Quantifier Elimination Strategy § To eliminate e from 9 e. { e · x 0 Æ f [e / x 0] } • Introduce existential quantifiers only over Boolean variables encoding lower bound predicates in f (bounds of the formxi ¸ c) • Generate only those transitivity constraints involving lower bound predicates § Empirically, results in 10 -20 times speedup 23
Optimization: Checking if Bounds are Conjoined § Avoid generating transitivity constraints wherever possible § 9 x 2. x 1 ¸ x 2 Ç x 2 ¸ x 3 • x 1 ¸ x 2 and x 2 ¸ x 3 not conjoined, hence no transitivity constraint generated • “Conjunctions matrix” [Strichman, FMCAD’ 02] § 9 x 2. (x 1 ¸ x 2 Æ x 2 ¸ x 3) Ç x 3 > x 2 • x 1 ¸ x 2 and x 2 ¸ x 3 not conjoined in minimized DNF of quantifier-free part • 9 x 2. x 1 ¸ x 2 Ç x 3 > x 2 § Can check easily using. BDDs 24
Optimization for a BDD-based Implementation § Suppose we use BDDs to represent the Boolean encodingsof SL formulas § Some BDD paths might be infeasible (as in the case of DDDs) • Use “Restrict” operator to eliminate paths in the BDD that violate transitivity constraints • Problems: l l Not all infeasible paths eliminated due to BDD variable ordering constraints Imposes an overhead 25
Experimental Setup § Benchmark: Fischer’s timed mutual exclusion protocol, for increasing numbers of processes § Compared against DDD and RED fully symbolic model checkers • For 1 reachabilityproperty and 1 non-reachability property § Our model checker used the CUDD package as the Boolean (quantification) engine 26
Results (1) § Results for non-reachabilityformula (non-zenoness) • TMV: Our model checker • Kronos & Red are the only other model checkers that can handle non-reachabilityproperties Number of Processes Kronos Time (sec. ) Red Time (sec. ) TMV Time (sec. ) 3 4 5 6 7 0. 03 0. 23 1. 98 * * 0. 28 1. 30 5. 05 17. 80 57. 95 0. 24 0. 44 0. 80 2. 15 6. 61 27
Results (2) § Results for reachabilityproperty (mutual exclusion) Num. Red Proc Time (sec. ) 3 4 5 6 7 DDD Time (sec. ) TMV Time (sec. ) 0. 06 0. 11 0. 33 0. 90 2. 65 0. 11 0. 38 1. 85 17. 41 * 0. 21 1. 13 4. 53 15. 11 46. 31 § Reason: DDD’s local node elimination operations x 1 ¸ x 2 + 2 x 1 ¸ x 2 Ç x 1 ¸ x 2+2 x 1 ¸ x 2 0 x 1 ¸ x 2 1 0 1 28
Conclusions & Ongoing Work § New fully symbolic model checking technique based on Boolean methods § Solving QSL via translation to QBF can • Outperform other fully symbolic approaches • Check any property in Timedm calculus • Leverage advances in SAT/QBF § Ongoing Work • Using a SAT-based QBF solver • Improving BDD-based implementation • Lazy vs eager Boolean encoding tradeoffs 29
- Slides: 29